| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CA+fCnZcvuXR3R-mG1EfztGx5Qvs1U92kuyYEypRJ4tnF=oG04A@mail.gmail.com>
Date: Thu, 4 Dec 2025 16:17:23 +0100
From: Andrey Konovalov <andreyknvl@...il.com>
To: Ethan Graham <ethan.w.s.graham@...il.com>
Cc: glider@...gle.com, andy@...nel.org, andy.shevchenko@...il.com,
brauner@...nel.org, brendan.higgins@...ux.dev, davem@...emloft.net,
davidgow@...gle.com, dhowells@...hat.com, dvyukov@...gle.com,
elver@...gle.com, herbert@...dor.apana.org.au, ignat@...udflare.com,
jack@...e.cz, jannh@...gle.com, johannes@...solutions.net,
kasan-dev@...glegroups.com, kees@...nel.org, kunit-dev@...glegroups.com,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-mm@...ck.org, lukas@...ner.de, rmoar@...gle.com, shuah@...nel.org,
sj@...nel.org, tarasmadan@...gle.com, Ethan Graham <ethangraham@...gle.com>
Subject: Re: [PATCH 01/10] mm/kasan: implement kasan_poison_range
On Thu, Dec 4, 2025 at 3:13 PM Ethan Graham <ethan.w.s.graham@...il.com> wrote:
>
> From: Ethan Graham <ethangraham@...gle.com>
>
> Introduce a new helper function, kasan_poison_range(), to encapsulate
> the logic for poisoning an arbitrary memory range of a given size, and
> expose it publically in <include/linux/kasan.h>.
>
> This is a preparatory change for the upcoming KFuzzTest patches, which
> requires the ability to poison the inter-region padding in its input
> buffers.
>
> No functional change to any other subsystem is intended by this commit.
>
> Signed-off-by: Ethan Graham <ethangraham@...gle.com>
> Signed-off-by: Ethan Graham <ethan.w.s.graham@...il.com>
> Reviewed-by: Alexander Potapenko <glider@...gle.com>
>
> ---
> PR v3:
> - Move kasan_poison_range into mm/kasan/common.c so that it is built
> with HW_TAGS mode enabled.
> - Add a runtime check for kasan_enabled() in kasan_poison_range.
> - Add two WARN_ON()s in kasan_poison_range when the input is invalid.
> PR v1:
> - Enforce KASAN_GRANULE_SIZE alignment for the end of the range in
> kasan_poison_range(), and return -EINVAL when this isn't respected.
> ---
> ---
> include/linux/kasan.h | 11 +++++++++++
> mm/kasan/common.c | 37 +++++++++++++++++++++++++++++++++++++
> 2 files changed, 48 insertions(+)
>
> diff --git a/include/linux/kasan.h b/include/linux/kasan.h
> index 890011071f2b..cd6cdf732378 100644
> --- a/include/linux/kasan.h
> +++ b/include/linux/kasan.h
> @@ -102,6 +102,16 @@ static inline bool kasan_has_integrated_init(void)
> }
>
> #ifdef CONFIG_KASAN
> +
> +/**
> + * kasan_poison_range - poison the memory range [@addr, @addr + @size)
> + *
> + * The exact behavior is subject to alignment with KASAN_GRANULE_SIZE, defined
> + * in <mm/kasan/kasan.h>: if @start is unaligned, the initial partial granule
> + * at the beginning of the range is only poisoned if CONFIG_KASAN_GENERIC=y.
You can also mention that @addr + @size must be aligned.
> + */
> +int kasan_poison_range(const void *addr, size_t size);
> +
> void __kasan_unpoison_range(const void *addr, size_t size);
> static __always_inline void kasan_unpoison_range(const void *addr, size_t size)
> {
> @@ -402,6 +412,7 @@ static __always_inline bool kasan_check_byte(const void *addr)
>
> #else /* CONFIG_KASAN */
>
> +static inline int kasan_poison_range(const void *start, size_t size) { return 0; }
> static inline void kasan_unpoison_range(const void *address, size_t size) {}
> static inline void kasan_poison_pages(struct page *page, unsigned int order,
> bool init) {}
> diff --git a/mm/kasan/common.c b/mm/kasan/common.c
> index 9142964ab9c9..c83579ef37c6 100644
> --- a/mm/kasan/common.c
> +++ b/mm/kasan/common.c
> @@ -570,3 +570,40 @@ bool __kasan_check_byte(const void *address, unsigned long ip)
> }
> return true;
> }
> +
> +int kasan_poison_range(const void *addr, size_t size)
> +{
> + uintptr_t start_addr = (uintptr_t)addr;
> + uintptr_t head_granule_start;
> + uintptr_t poison_body_start;
> + uintptr_t poison_body_end;
> + size_t head_prefix_size;
> + uintptr_t end_addr;
> +
> + if (!kasan_enabled())
> + return 0;
Please move this check to include/linux/kasan.h; see how
kasan_unpoison_range() is implemented. Otherwise eventually these
checks start creeping into lower level functions and the logic of
checking when and whether KASAN is enabled becomes a mess.
> +
> + end_addr = start_addr + size;
> + if (WARN_ON(end_addr % KASAN_GRANULE_SIZE))
> + return -EINVAL;
> +
> + if (WARN_ON(start_addr >= end_addr))
> + return -EINVAL;
> +
> + head_granule_start = ALIGN_DOWN(start_addr, KASAN_GRANULE_SIZE);
> + head_prefix_size = start_addr - head_granule_start;
> +
> + if (IS_ENABLED(CONFIG_KASAN_GENERIC) && head_prefix_size > 0)
> + kasan_poison_last_granule((void *)head_granule_start,
> + head_prefix_size);
As I mentioned before, please rename kasan_poison_last_granule() to
kasan_poison_granule() (or maybe even kasan_poison_partial_granule?).
Here the granule being poisoned is not the last one.
> +
> + poison_body_start = ALIGN(start_addr, KASAN_GRANULE_SIZE);
> + poison_body_end = end_addr;
> +
> + if (poison_body_start < poison_body_end)
> + kasan_poison((void *)poison_body_start,
> + poison_body_end - poison_body_start,
> + KASAN_SLAB_REDZONE, false);
> + return 0;
> +}
> +EXPORT_SYMBOL(kasan_poison_range);
> --
> 2.51.0
>
Powered by blists - more mailing lists